NAC security mechanisms, for instance firewalls, are routinely prescribed as requirements for compliance to security standards such as PCI-DSS and ISO 27000. However, the effectiveness of a NAC configuration may be hampered by poor understanding and/or management of the overall security configuration, which may in turn, unnecessarily expose the enterprise to known security threats. New threats and/or service requirements often result in firefighting by ad-hoc modification to an already large and complex configuration. This complexity is further compounded by the diverse range of NAC mechanisms used to secure an enterprise; ranging from firewalls and proxies to NAC-style controls within applications themselves. As a consequence, it can be difficult to ensure that the current NAC configuration is effective, that is, it sufficiently mitigates threats while providing necessary access to services. Ensuring ongoing best-practice NAC administration can be costly as it requires up to date expert knowledge in a rapidly changing field.

A knowledge base is being developed that contains detailed prescriptions for threat management. These catalogues of best practice describe how known threats are mitigated control configurations and are continually updated to reflect newly discovered vulnerabilities and revisions to best practice.